[NEWS] Web Browsers Ignore Content-Type Headers Allowing Cross-site Scripting

• Previous message: support@securiteam.com: "[NEWS] Some IRC Servers Auto-DeOP Users Too Slowly"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 16 Feb 2002 23:40:18 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Web Browsers Ignore Content-Type Headers Allowing Cross-site Scripting
------------------------------------------------------------------------

SUMMARY

The Content-Type header of an HTTP object defines its MIME type, which in
turn defines how the object should be handled. A number of web browsers
ignore this header, resulting in the object being mis-handled. This can
lead to cross-site scripting vulnerabilities in some web-based
applications.

DETAILS

Vulnerable systems:
Internet Explorer
Opera Web Browser

A number of header fields are defined for HTTP that give meta-information
about the object being supplied. One such header, the Content-Type,
defines the MIME type of the object, which in turn specifies how the
object should be handled by web browsers.

Failure to honor the MIME type of an object can lead to a number of
security related problems, such as cross-site scripting.

Microsoft Internet Explorer (versions 5.x and 6 tested with all available
security bundles and related bug fixes) and under some configurations
Opera web browsers fail to honor the text/plain MIME type and will
interpret the object as text/html. This in turn results in any embedded
scripts within the object being executed.

One implication of this is that web applications that explicitly use a
text/plain MIME type in order to protect their users from client-side
scripting are being denied that protection by their users using vulnerable
web browsers.

A number of WebMail and Bulletin Board systems are likely to be
susceptible to this issue.

Netscape and Mozilla browsers do not have this problem.

Notes:
1. Microsoft Security Bulletin MS01-058 addresses a vulnerability in the
handling of MIME types in Internet Explorer. That bulletin addresses
separate issues, and the subsequent patch does not fix the problem
described above.

2. Microsoft released a security fix bundle for IE on 11 February 2002
(MS02-005) that "eliminates all previously discussed security
vulnerabilities". This security problem is not addressed in that bundle.

3. Similar issues regarding IE handling of MIME types have previously been
discussed in: Microsoft TechNet Article
<http://www.microsoft.com/technet/support/kb.asp?ID=258452> Q258452

Workaround:
 * Internet Explorer - disable scripting.

 * Opera - select "File->Preferences->Applications->File types" and then
check the "Determine action by MIME type" option.

Example:
A request for an object such as:
  http://www.example.net/mtest.php

That would then return a document such as:

    HTTP/1.1 200 OK
    Date: Mon, 04 Feb 2002 14:13:00 GMT
    Server: Apache/1.3.22 (Unix)
    Content-Type: text/plain

    <h1>broken browser test script</h1>
    <p>
    <script>alert("I could steal your cookie!!")</script>

Results in the embedded Java Script being executed by the web browser,
even though it has a text/plain MIME type.

Vendor status:
Advisory Sent to Microsoft (secure@microsoft.com). A bug report was filed
with Opera.

ADDITIONAL INFORMATION

The information has been provided by <mailto:pre@geekgang.co.uk> pre.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: support@securiteam.com: "[NEWS] Some IRC Servers Auto-DeOP Users Too Slowly"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Plain text files in internet explorer ... extention to MIME type mapping. ... filename extention in a URL. ... It's a JPEG. ... I have no idea what this has to do with security; ... (Vuln-Dev) [GSA2002-01] Web browsers ignore the Content-Type header, thus allowing cross-site scripting ... The Content-Type header of an HTTP object defines its MIME type, ... turn specifies how the object should be handled by web browsers. ... of security related problems, such as cross-site scripting. ... (Bugtraq) Re: OT: Gone from topic, now on security Re: For PGP Users-Likes and Dislikes of PGP ... quantity) in IE, Outlook, Outlook Express, Word, Excel, PowerPoint, ... be significantly worse (from a security point of view). ... Actually there are various design decisions that rely on IE only being ... where the MIME type in the MIME header, in the MIME section header and ... (sci.crypt) Re: IIS6 security problem ... check that you have a mime type defined for that extension ... So maybe it's is not security ... (microsoft.public.inetserver.iis.security) [Full-Disclosure] MS web designers -- "What Security Initiative?" ... I commented on the uselessness of the "new, improved" MS Security ... like me whose security sensibilities require surfing with scripting ... the reason for today's swing at MS' web designers -- spam. ... window.parent.location.replace to redirect the page. ... (NT-Bugtraq)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint